This threat detection rule identifies attempts to open Remote Desktop Protocol (RDP) files from suspicious file paths on Windows systems. Malicious actors may utilize RDP files to gain unauthorized access to systems, often distributing them via phishing attacks. The rule employs an EQL query that flags events where 'mstsc.exe' (the Windows Remote Desktop client) is started in conjunction with specific patterns in the command line arguments, typically involving paths where RDP files should not normally be executed (e.g., temporary directories and Downloads). If such an event is detected, it could indicate a potential security threat, prompting the need for further investigation. The rule is integrated into a comprehensive monitoring framework, which should support effective response strategies against related threats, particularly focusing on initial access methods and command and control tactics.